libarchive - Debian Package Tracker

general

source: libarchive (main)
version: 3.8.5-1
maintainer: Gabriel Barrantes (DMD)
uploaders: Antoine Le Gonidec [DMD] – Syed Shahrukh Hussain [DMD]
arch: any
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.4.3-2+deb11u1
o-o-sec: 3.4.3-2+deb11u3
oldstable: 3.6.2-1+deb12u3
old-sec: 3.6.2-1+deb12u2
stable: 3.7.4-4
testing: 3.8.5-1
unstable: 3.8.5-1

versioned links

3.4.3-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.3-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.4-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libarchive-dev
libarchive-tools (3 bugs: 0, 2, 1, 0)
libarchive13t64 (1 bugs: 0, 0, 1, 0)

action needed

A new upstream version is available: 3.8.6 high

A new upstream version 3.8.6 is available, you should consider packaging it.

Created: 2026-03-12 Last update: 2026-03-15 19:01

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2026-4111: A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

1 issue left for the package maintainer to handle:

CVE-2025-5918: (needs triaging) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-06-09 Last update: 2026-03-14 21:00

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-4111: A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Created: 2026-03-14 Last update: 2026-03-14 21:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-4111: A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Created: 2026-03-14 Last update: 2026-03-14 21:00

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-4111: A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Created: 2026-03-14 Last update: 2026-03-14 21:00

2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:

CVE-2026-4111: A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

1 issue left for the package maintainer to handle:

CVE-2025-5918: (needs triaging) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-06-09 Last update: 2026-03-14 21:00

RFS: A sponsor is needed to update this package. normal

A Debian contributor is looking for a sponsor to upload a package update. It might be the regular maintainer who does not have any upload right yet, or it might be someone who just wants to help for a bugfix or a new upstream version. In any case, if you have upload rights and care about this package and Debian in general, you should look into sponsoring this update. Please see bug number #1130769 for more information.

Created: 2026-03-15 Last update: 2026-03-15 03:16

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.8.5-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 56c5a2b5229d75b5443b8bb3d5c7f0343e7689de
Merge: a71efee d75143c
Author: Gabriel Barrantes <gabriel.barrantes.dev@outlook.com>
Date:   Sat Mar 14 22:53:04 2026 +0000

    Update upstream source from tag 'upstream/3.8.6'
    
    Update to upstream version '3.8.6'
    with Debian dir ef1d99be4490352ac04fee8fd212f7a15648b3f8

commit d75143c8c44d6a8e470a3c0d5f09a08785ba69f6
Author: Gabriel Barrantes <gabriel.barrantes.dev@outlook.com>
Date:   Sat Mar 14 22:52:24 2026 +0000

    New upstream version 3.8.6

commit a71efeeabf3640eb05bc0f741739a5fad8524f11
Author: Antoine Le Gonidec <vv221@debian.org>
Date:   Fri Feb 13 23:41:54 2026 +0100

    Update Uploaders list
    
    I am interrupting my Debian activitites, and as such am not going to keep sponsoring uploads of this package.

Created: 2026-02-16 Last update: 2026-03-15 01:03

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-03-15 Last update: 2026-03-15 01:03

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-08-15 Last update: 2026-02-28 11:00

news

[rss feed]

[2026-01-22] libarchive 3.8.5-1 MIGRATED to testing (Debian testing watch)
[2026-01-11] Accepted libarchive 3.8.5-1 (source) into unstable (Gabriel Barrantes) (signed by: Antoine Le Gonidec)
[2026-01-08] Accepted libarchive 3.8.4-1 (source) into unstable (Antoine Le Gonidec)
[2025-11-11] Accepted libarchive 3.4.3-2+deb11u3 (source) into oldoldstable-security (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-08-27] Accepted libarchive 3.6.2-1+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-07-30] libarchive 3.7.4-4 MIGRATED to testing (Debian testing watch)
[2025-07-26] Accepted libarchive 3.7.4-4 (source) into unstable (Peter Pentchev)
[2025-05-08] libarchive 3.7.4-3 MIGRATED to testing (Debian testing watch)
[2025-04-27] Accepted libarchive 3.7.4-3 (source) into unstable (Peter Pentchev)
[2025-04-26] Accepted libarchive 3.7.4-2 (source) into unstable (Peter Pentchev)
[2024-11-11] Accepted libarchive 3.4.3-2+deb11u2 (source) into oldstable-security (Adrian Bunk)
[2024-11-11] Accepted libarchive 3.6.2-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-11-10] libarchive 3.7.4-1.1 MIGRATED to testing (Debian testing watch)
[2024-11-09] Accepted libarchive 3.6.2-1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-11-03] Accepted libarchive 3.7.4-1.1 (source) into unstable (Salvatore Bonaccorso)
[2024-08-09] libarchive 3.7.4-1 MIGRATED to testing (Debian testing watch)
[2024-08-07] Accepted libarchive 3.7.4-1 (source) into unstable (Peter Pentchev)
[2024-06-09] Accepted libarchive 3.6.2-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-06-06] libarchive 3.7.2-2.1 MIGRATED to testing (Debian testing watch)
[2024-06-05] Accepted libarchive 3.6.2-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-06-03] Accepted libarchive 3.7.2-2.1 (source) into unstable (Salvatore Bonaccorso)
[2024-04-25] libarchive 3.7.2-2 MIGRATED to testing (Debian testing watch)
[2024-03-31] Accepted libarchive 3.7.2-2 (source) into unstable (Peter Pentchev)
[2024-02-29] Accepted libarchive 3.7.2-1.1 (source) into unstable (Lukas Märdian)
[2024-01-31] Accepted libarchive 3.7.2-1.1~exp1 (source) into experimental (Steve Langasek)
[2023-10-18] libarchive 3.7.2-1 MIGRATED to testing (Debian testing watch)
[2023-10-14] Accepted libarchive 3.7.2-1 (source) into unstable (Peter Pentchev)
[2023-01-30] Accepted libarchive 3.3.3-4+deb10u3 (source) into oldstable (Thorsten Alteholz)
[2022-12-27] libarchive 3.6.2-1 MIGRATED to testing (Debian testing watch)
[2022-12-27] libarchive 3.6.2-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 10
RC: 0
I&N: 7
M&W: 2
F&P: 1
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.8.5-1ubuntu1
3 bugs
patches for 3.8.5-1ubuntu1